usb: uas: fix a plug & unplug racing
authorEJ Hsu <ejh@nvidia.com>
Thu, 30 Jan 2020 09:25:06 +0000 (01:25 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 28 Feb 2020 16:22:16 +0000 (17:22 +0100)
commit 3e99862c05a9caa5a27969f41566b428696f5a9a upstream.

When a uas disk is plugged into an external hub, uas_probe()
will be called by the hub thread to do the probe. It will
first create a SCSI host and then do the scan for this host.
During the scan, it will probe the LUN using SCSI INQUERY command
which will be packed in the URB and submitted to uas disk.

There might be a chance that this external hub with uas disk
attached is unplugged during the scan. In this case, uas driver
will fail to submit the URB (due to the NOTATTACHED state of uas
device) and try to put this SCSI command back to request queue
waiting for next chance to run.

In normal case, this cycle will terminate when hub thread gets
disconnection event and calls into uas_disconnect() accordingly.
But in this case, uas_disconnect() will not be called because
hub thread of external hub gets stuck waiting for the completion
of this SCSI command. A deadlock happened.

In this fix, uas will call scsi_scan_host() asynchronously to
avoid the blocking of hub thread.

Signed-off-by: EJ Hsu <ejh@nvidia.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200130092506.102760-1-ejh@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/storage/uas.c

index 475b9c692827a3a0742b8f295ceab1ef4f7256df..bb2198496f4225e57d713fdd3b854d4d59017378 100644 (file)
@@ -45,6 +45,7 @@ struct uas_dev_info {
        struct scsi_cmnd *cmnd[MAX_CMNDS];
        spinlock_t lock;
        struct work_struct work;
+       struct work_struct scan_work;      /* for async scanning */
 };
 
 enum {
@@ -114,6 +115,17 @@ out:
        spin_unlock_irqrestore(&devinfo->lock, flags);
 }
 
+static void uas_scan_work(struct work_struct *work)
+{
+       struct uas_dev_info *devinfo =
+               container_of(work, struct uas_dev_info, scan_work);
+       struct Scsi_Host *shost = usb_get_intfdata(devinfo->intf);
+
+       dev_dbg(&devinfo->intf->dev, "starting scan\n");
+       scsi_scan_host(shost);
+       dev_dbg(&devinfo->intf->dev, "scan complete\n");
+}
+
 static void uas_add_work(struct uas_cmd_info *cmdinfo)
 {
        struct scsi_pointer *scp = (void *)cmdinfo;
@@ -983,6 +995,7 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id)
        init_usb_anchor(&devinfo->data_urbs);
        spin_lock_init(&devinfo->lock);
        INIT_WORK(&devinfo->work, uas_do_work);
+       INIT_WORK(&devinfo->scan_work, uas_scan_work);
 
        result = uas_configure_endpoints(devinfo);
        if (result)
@@ -999,7 +1012,9 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id)
        if (result)
                goto free_streams;
 
-       scsi_scan_host(shost);
+       /* Submit the delayed_work for SCSI-device scanning */
+       schedule_work(&devinfo->scan_work);
+
        return result;
 
 free_streams:
@@ -1167,6 +1182,12 @@ static void uas_disconnect(struct usb_interface *intf)
        usb_kill_anchored_urbs(&devinfo->data_urbs);
        uas_zap_pending(devinfo, DID_NO_CONNECT);
 
+       /*
+        * Prevent SCSI scanning (if it hasn't started yet)
+        * or wait for the SCSI-scanning routine to stop.
+        */
+       cancel_work_sync(&devinfo->scan_work);
+
        scsi_remove_host(shost);
        uas_free_streams(devinfo);
        scsi_host_put(shost);